A deeper look: NoviSpy
diving into NoviSpy samples
Source: https://www.amnesty.org/en/documents/eur70/8813/2024/en/
“A newly discovered Serbian Android spyware system with capabilities to collect extensive information from a targeted Android phone.”
Sample hashes shared in the report:
com.accesibilityservice (not found!) 99673ce7f10e938ed73ed4a99930fbd6499983caa7a2c1b9e3f0e0bb0a5df602
-
com.serv.services (not found!) 087fc1217c897033425fe7f1f12b913cd48918c875e99c25bdb9e1ffcf80f57e
-
com.li.activity (Older variant) 54ee2c4f3e2396b6f92def135d68abd35d63ca7f9c304633a36f705ba4728cb7
-
com.gu.activity (older variant) d55e492d5fce87898e065572a5553d1ac1389cd12bf3d28cabc1218cb29780af
Brief Analysis
I won’t be digging too much into this one- primarily because they aren’t really pushing the envelope when it comes to obfuscation attempts or functionality. This is yet another application impersonating a messenger, that is secretly stealing data and gathering device information.
I did want to offer a quick peek behind the curtain at the underlying code
54ee2c4f3e2396b6f92def135d68abd35d63ca7f9c304633a36f705ba4728cb7
Icon SHA-1: b7b577f7f0b8b0a231bf420ce17e55f3b543c498
Package name: com.li.activity
Main Activity: com.li.activity.SignInActivity
Activities:
com.li.activity.SignInActivity
com.li.activity.ChangePasswordActivity
com.li.activity.CommentActivity
com.li.activity.ContactUsActivity
com.li.activity.LostPasswordActivity
com.li.activity.MessageActivity
com.li.activity.MessageListActivity
com.li.activity.RegisterActivity
com.li.activity.SettingsActivity
com.li.activity.UserListActivity
com.li.activity.WebPageActivity
com.li.activity.WebPageDetailsActivity
com.li.activity.WebPageListActivity
com.li.activity.WebPageListAnonymousActivity
Services:
com.li.MainService
Receivers:
com.li.BootCompletedReceiver
com.li.NetworkChangeReceiver
Infra:
94.140.125[.]174
79.101.110[.]108
195.178.51[.]251
176.223.111[.]131
185.86.148[.]174
d55e492d5fce87898e065572a5553d1ac1389cd12bf3d28cabc1218cb29780af
Icon SHA-1: 68671145b4c27636f8e58f8c45909b3b62cf3692
Package name: com.gu.activity
Main Activity: com.gu.activity.SignInActivity
Activities:
com.gu.activity.SignInActivity
com.gu.activity.ChangePasswordActivity
com.gu.activity.CommentActivity
com.gu.activity.ContactUsActivity
com.gu.activity.LostPasswordActivity
com.gu.activity.MessageActivity
com.gu.activity.MessageListActivity
com.gu.activity.RegisterActivity
com.gu.activity.SettingsActivity
com.gu.activity.UserListActivity
com.gu.activity.WebPageActivity
com.gu.activity.WebPageDetailsActivity
com.gu.activity.WebPageListActivity
com.gu.activity.WebPageListAnonymousActivity
Services:
com.gu.MainService
Receivers:
com.gu.BootCompletedReceiver
com.gu.NetworkChangeReceiver
Infra:
94.140.125[.]174
79.101.110[.]108
195.178.51[.]251
176.223.111[.]131
185.86.148[.]174
Both packages have the same overview, so only showing one:
Pivoting
Other sample(s):
eda805bdaedb05b752486d37ae459047aca4e0a93fc8f520db63fc8b16379cec
pivot: 176.223.111[.]131,185.86.148[.]174,icon hash
Passwords:
“kataklinger vibercajzna” (u: root) (note: appears to be Slovenian)
(com.gu.db.DbUtil) (80AF)
(com.li.db.DbUtil) (8CB7)